E-Voting Machines Need Paper Audits to be Trustworthy

E-Voting Machines Need Paper Audits to be Trustworthy

Election security experts concerned about voting machines are calling for an audit of ballots in the three states where the presidential election was very close: Michigan, Wisconsin and Pennsylvania. We agree. This is an important election safety measure and should happen in all elections, not just those that have a razor-thin margin.

Voting machines, especially those that have digital components, are intrinsically susceptible to being hacked. The main protection against hacking is for voting machines to provide an auditable paper trail.

However, if that paper trail is never audited, it's useless.

EFF worked hard, alongside many others, to ensure that paper trails were available in many places across the nation. While there are still places without them, we have made great strides. Yet this election was a forceful reminder of how vulnerable all computer systems are.

We not only need elections to be auditable, we need them to be audited.

We should use this opportunity to set a precedent of auditing electronic voting results to strengthen confidence—not only in this election, but in future ones.

There is precedent for hackers attempting to influence elections by tampering with voting infrastructure: Ukraine's 2014 election came under attack from pro-Russian hackers, and this spring Bloomberg reported on how a team of hackers targeted elections throughout Latin America. There was also plenty of hacking related to the 2016 US election, with two separate major dumps of political emails and several reports of attempted attacks on election systems. These attacks tell us that hacking groups, some of whom may be nation states, were particularly interested in affecting this election's outcome.

Of course, there is good reason to believe US voting machines are vulnerable; for years, EFF along with hundreds of security experts nationwide and even worldwide sounded the alarm about the risk posed by insecure voting machines. EFF handledmanycases arising from problems with the machines. In 2004, California decertified many voting machines due to serious security flaws.

Most e-voting machines are not connected to the Internet, but disconnection isn't a sufficient defense against hacking. Malware can be engineered to cross a so-called air gap by riding on removable storage media like thumb drives and SD cards. The Stuxnet worm is a remarkable example of this in action. It was designed to infect internet-connected workstations and then copy itself over whenever a thumb drive was plugged into those workstations. Once an infected thumb drive was plugged into an air-gapped system, the worm would install itself and begin its work. The voting machines used in America are updated using removable storage that is at some point plugged into a regular computer in a government office. Hackers need only compromise that computer, and they can use that toehold to copy a Stuxnet-like worm onto all removable storage that comes into contact with it and matches a certain profile. Once plugged into a voting machine, that worm could alter the machine's software to subtly change the vote. A particularly well-written worm would automatically reverse those changes after the election to cover its tracks.

There's a defense against the possibility of hacked voting machines: good, old-fashioned paper. Thanks to tireless advocacy by EFF and other voting security experts, many e-voting machines record a paper copy of all votes. But, like a seat belt, these paper records only work if you use them. Currently, U.S. states need far more buckling up.

That could change. Candidates can petition for a recount. The deadlines for such a petition are coming up fast: Friday in Wisconsin, Monday in Pennsylvania, and Wednesday in Michigan. It's especially worth auditing the vote in these states, because they had some of the closest margins in the presidential election and therefore are the most interesting targets for hackers looking to swing the election.

Counting the paper ballots isn't just good for increasing voter confidence in this year's election, it's good electoral hygiene and a basic safety measure. We hope that audits this year can serve as a guiding example for states to improve their election systems for future years: by replacing paperless voting machines with optical scan systems and adopting inexpensive risk-limiting audits as a routine matter.

With concerns about election hacking higher than ever, this is a turning point in securing our election systems. We ask the Clinton campaign: call for for recounts in Wisconsin, Pennsylvania, and Michigan. Even if you think an election-changing result is unlikely, it is a vital step on the road to securing our democracy.

Sen. Ron Wyden’s new proposal to protect the integrity of U.S. elections, the Protecting American Votes and Elections (PAVE) Act of 2019, takes a much needed step forward by requiring a return to paper ballots. The bill forcefully addresses a grave threat to American democracy—outdated election technologies used...

UPDATE February 9 2019: Victory! These bills did not make it out of committee. Experts agree: Internet voting would be an information security disaster. Unfortunately, the Commonwealth of Virginia is considering a pair of bills to experiment with online voting. Pilot programs will do nothing to contradict the...

The ability to vote for local, state, and federal representatives is the cornerstone of democracy in America. With mid-term congressional elections looming in early November, many voices have raised concerns that the voting infrastructure used by states across the Union might be suspect, unreliable, or potentially vulnerable to attacks. As...

Right now, the U.S. Senate is debating an issue that’s critical to our democratic future: secure elections. Hacking attacks were used to try to undermine the 2016 U.S. election, and in recent years, elections in Latin America and Ukraine were also subject to cyber attacks. It only makes sense to...

The Senate is working on a bill to secure election infrastructure against cybersecurity threats, but, unless amended, it will widely miss the mark. The current text of the Secure Elections Act1 omits the two most effective measures that could secure...

Most of the internet’s most popular voter registration sites make no promise to not turn and sell your information to advertisers, a Vocativ analysis has found. Of the nine major voter registration sites surveyed, only vote.gov, maintained by the U.S. General Services Administration, explicitly promises to neither share...

“Honestly, the real answer is 'it depends.' Marking election systems as critical infrastructure might help us begin to make them more secure, but not necessarily. And federalizing election systems could make us less secure by creating fewer points of failure. But overall, [the Electronic Frontier Foundation] and our colleagues at...

Buenos Aires is currently in the middle of electing its mayor and city council. With a first round that took place on July 5th, and a second round due on July 19th, the election is the first time Argentina's capital city has used an electronic voting system called ...